Bug 231252

Summary: Speculative fix for a null pointer dereference in ByteCodeParser::handlePutByVal.
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed patch.
ysuzuki: review+
[fast-cq] patch for landing. none

Description Mark Lam 2021-10-05 14:06:20 PDT
We're seeing a null pointer dereference in ByteCodeParser::handlePutByVal().  Adding a null check here as a speculative fix to mitigate crashes while we investigate further.

rdar://83310320
Comment 1 Mark Lam 2021-10-05 14:14:45 PDT
Created attachment 440265 [details]
proposed patch.
Comment 2 Yusuke Suzuki 2021-10-05 14:20:57 PDT
Comment on attachment 440265 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=440265&action=review

r=me

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:8881
> +                auto* impl = string->tryGetValueImpl();
> +                ASSERT(impl); // FIXME: rdar://83902782
> +                if (impl && impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) {

Similar thing exists on op_put_private_name. Please change all of these things in DFG::ByteCodeParser.
Comment 3 Mark Lam 2021-10-05 14:35:04 PDT
Created attachment 440271 [details]
[fast-cq] patch for landing.

Thanks for the review.
Comment 4 EWS 2021-10-06 10:31:52 PDT
Committed r283632 (242583@main): <https://commits.webkit.org/242583@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 440271 [details].